3 Answers
3

You have several questions in the same message, you might get better results splitting them up.

However, I will try to answer the sshd question and the unmatched one.

I get several thousands of failed sshd attempts per day, sometimes more. I ignore them because I use secure passwords, do not have "guest" accounts which have weak passwords, and do not allow users to choose weak passwords.

There are many probes for security every day, if not every hour. If you worry about them all, you'll go insane. The real question to ask is how secure your system is against these probes. If you have come of the common user accounts without passwords, with weak passwords, or with guest logins (without passwords or with common ones) then you should fix that. If not, well, ignore them.

The unmatched entries are from something that is accepting IPv4 addresses and displaying IPv6 "mapped addresses" -- my imapd does this. It may just be that. Can you look manually and match up PIDs?

I can't immediately speak for the IMAP entries, but the sshd logs are very characteristic of someone (well, some program) trying to gain access by brute-force password guessing. In my opinion, you should do something about that, or they will eventually guess someone's bad password, and even until then dealing with each of these attempts uses server resources. Different people find different solutions.

I went out and about to find out what people do, and made my own decision, which involved using iptables to rate-limit sshd connections; you can read about that in my technote. Others have gone for suggestions I wrote about but decided not to implement, or technologies like fail2ban.